Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-29529


HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0.


Published

2020-12-03T20:15:11.820

Last Modified

2024-11-21T05:24:09.323

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: NONE
  • Availability Impact: NONE
Exploitability Score

10.0

Impact Score

2.9

Weaknesses
  • Type: Primary
    CWE-22
    CWE-59

Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application hashicorp go-slug < 0.5.0 Yes

References